With new dynamic capabilities, will whitelisting finally catch on?

In this age of destructive and fast-spreading malware, companies are giving whitelisting a second look -- and with cloud-based, peer-to-peer whitelists and reputation scoring, the technology now has a chance to be widely adopted.

Everybody knows and hates whitelisting. Employees are only allowed to install approved software on their desktops and laptops, so they're always complaining and asking for exceptions. Management eventually gets fed up with it and stops the experiment.

For mobile devices, enterprises have a number of tools at their disposal, including mobile device management. In addition, malware has a harder time jumping from infected phones to the rest of a corporate network. When it comes to infected laptops and desktops, the sky is the limit where potential damage is concerned.

We are in an age of destructive and fast-spreading malware, like the recent WannaCry ransomware attack, and this is encouraging companies to give whitelisting a second look. They will see that whitelisting solutions have matured. Capabilities like cloud-based, peer-to-peer whitelists and reputation scoring give the technology a better chance to catch on, although some believe it is still not ready for prime time.

The new dynamic whitelists are updated in real time based on recommendations from other users, reputation scores, and other data and, in theory, offer the promise of nearly-perfect endpoint security with very low management overhead. Machine learning can help address the question of whether an application is likely to be malicious or not based on its behaviors and on the analysis of known malware and known good software.

"I believe that the number one way to protect against ransomware technologically is the use of application control, or white listing," says Rob Clyde, security consultant and member of the ISACA board of directors. "First generation whitelisting has been difficult to implement. Keeping that list together was a management nightmare, but recently in the last year or two it has become much more straightforward. With next generation whitelisting, the lists are automatically kept and are pre-populated with already trusted, well-known programs."

Robert Huber, chief security and strategy officer at Salt Lake City-based Eastwind Networks, used and tested application whitelisting in the early 2000s, then came back to it again in 2007 with industrial control systems. In fast-changing environments, it was difficult for whitelisting to work, he says. But that is changing. "I believe the intersection of crowdsourcing, machine learning, and cyber threat intelligence coupled with predictive analytics could lead to a model where new applications can be quickly vetted and ranked to speed the decision cycle," he says.

Does it really work?

One Fortune 100 manufacturing company has long been using whitelists for single-purpose desktops and servers, but has begun piloting a next-generation whitelisting product from McAfee. "Overall, it's been pretty good," says a cybersecurity expert at the company, who did not want to be quoted by name.

At first, there was some grumbling, he says. Employees were used to installing anything they wanted on their desktops, and then, if they got infected, the company would wipe and reimage their machines. That slash-and-burn approach doesn't work with the recent increase in malicious attacks, he says. Plus, the focus of the malware has changed. "It's gone from kids trying to gain headlines to industrialized and commercialized efforts to gain control behind the scenes to leverage money-making opportunities," he says.

As the whitelisting technology was rolled out, re-imaging requests fell by about 20 percent a month for the first six months, and then continued to fall at a slower pace. Today, the company gets only a quarter as many re-imaging requests as it used to. That number will continue to drop as more employees in the pilot group come on board, but there's only so far it can go, he says.

"There's always a number of factors that come into effect that reduce the effectiveness of any security product," he says. For example, there are always cases where some users need exceptions to be written in. "And, for various reasons, there's always a small group of end users who try to circumvent security processes for what they think are innocuous reasons." Those employees try to get their downloads approved by trying to sneak them in through an existing exception, without understanding what they're doing or putting in the effort to get the risky software formally approved.

As the new whitelisting system improves security, management overhead has remained low. "Leveraging things like global threat intelligence and reputation and end-user and client feedback and suggestions, the whitelisting programs have become far more effective and intuitive," he says.

So why isn't the company rolling it out more broadly? "There are a lot of gun-shy people out there, especially in management, who don't want to introduce the kinds of impacts that we've seen in the past," he says. "That is changing. It just has to be proven out and communicated and all that good stuff."

Clouds, peer-to-peer, sandboxing and reputation scoring

The new whitelisting solutions typically use a combination of technologies to reduce errors and management overhead. Security managers can often choose from some combination of internal blacklists and whitelists; external whitelists generated and vetted by screened industry peers; vendor testing and analysis; and reputation scores.

For example, McAfee offers a multi-leveled approach to whitelisting that avoids the pitfalls associated with relying exclusively on one method. Take, say, crowd-sourced whitelists. "Anytime you have crowd sourcing, there can be a question about the integrity of the white list," says Candace Worley, VP and chief technical strategist at Santa Clara, Calif.-based McAfee LLC. "If I'm a bad guy, certainly that becomes a very attractive approach to spoofing my way into the environment. If someone is approaching whitelisting through purely crowd source, there's an inherent risk in that."

McAfee also uses other sources to build its whitelists, including allowing customers to designate trusted sources such as their own update server or vendor application management solutions. "Microsoft is updating its operating system three or four times a year," Worley says. "If you have to manually update your whitelist every time you get an OS update, application update or service pack, that's untenable from a resource perspective."

Added to that is a reputation scoring system that pulls in from the company's global threat intelligence and a reputation cloud that tracks known good and bad URLs and IP addresses.

For brand new, not-previously seen software that a user wants to download, the software is sent to a dynamic container. "We're going to let her download it, but we're going to ringfence it, and only allow it to do certain things on the system," Worley says. "And by watching its behavior, and how it executes in the sandbox, it will actually be able to determine whether it's good or bad. If it's bad, it will spit out an indicator of compromise, what to look for, and from that you can create behavioral rules and signatures going forward."

McAfee notes that machine learning is not applicable as part of dynamic application containment on the endpoint, given the small set of known most malicious execution behavior rules that are monitored and/or blocked. However, Network Sandboxing technology uses machine learning to convict sandbox-aware malware.

Many other antivirus vendors have also added dynamic whitelisting capabilities. Kaspersky, for example, uses dynamic whitelists to speed up the performance of its antivirus software. In addition, enterprises can deploy full whitelisting that combines the company's own whitelists with Kaspersky's cloud-based and allows the company to set rules as to which types of applications are allowed.

Advanced endpoint protection vendors also offer dynamic whitelisting as part of their product suites, including Trend Micro, Carbon Black, Lumension and Digital Guardian.

In addition, Microsoft has been updating its own whitelisting toolset. In Windows 10, enterprises have more configuration options to create whitelists based on rules such as whether the software comes from a trusted source. It's not yet a full dynamic whitelisting solution, but is a step in that direction.

Time to change the paradigm

What it all comes down to is that the old approach of spotting and blocking malicious software may have reached its limits. "Fundamentally, we need to change the way we interact with the Internet," says Frank Dickson, research director, worldwide security products at Framingham, Mass.-based International Data Corp. "This whole reactive approach we've taken for years just doesn't work."

Isolation technology is a good solution for when users want to surf the web or check their email, and might be visiting malicious sites or accidentally downloading infected attachments. Virtual endpoints can be set up either in the cloud or locally, on the user machine's. "If I download something bad, and it totally wrecks that virtual endpoint, that's okay," he says. "At the end of my browsing session, I close it down, and it's destroyed. It creates an isolation layer."

A number of companies are working on offering isolation technology and similar solutions. “There's a lot of different ways to skin this cat," he says. "We're really at the bleeding edge of all this."

Don't start celebrating just yet

Most experts agree that we're still at the very early stages of being able to solve the whitelisting problem. "I just don't think it's mainstream," says Javvad Malik, security advocate at San Mateo, Calif.-based AlienVault, Inc.

In fact, despite new features, the use of whitelisting has probably shrunk, he says. "Crowdsourcing and machine learning can definitely improve the quality of whitelisting, but it won't cover every scenario we have at this moment," he says.

Many companies aren't set up to be able to use cloud-based whitelisting, he added. "The infrastructure isn't really there to support it," he says.

The crowd-sourcing approach also has its own problems. "Crowd sourcing is great for getting lots of work done cheaply, and having as many eyes on it as possible, but it's easy to breach or bypass," says Ryan O'Leary, vice president of the threat research center at Santa Clara, Calif.-based WhiteHat Security, Inc. "If you're going to rely on the crowd, you have to rely on a group of people you don't know. Even if you vet them, there's lots of ways around that. Plus, crowd sourcing can be used as an attack surface, too."

The increasing complexity of today's organizations is also a signficant factor, says Paul Calatayud, CTO at Overland Park, Kansas-based FireMon. "Being a CISO, I have held roles where I have attempted to deploy whitelisting on endpoints without much success," he says.

Crowdsourcing and reputation scoring won't go far enough, he says. "Organizations are getting more and more complex," says Calatayud. "The idea of any single organization managing similar sets of applications and policies is becoming, even more less likely as network and technology become application-based. Pile on bringing your own device and mobility, and all of a sudden, whitelisting seems like an approach that should be left in the past."

In addition, different types of users need different kinds of applications, says Scott Petry, co-founder and CEO at Mountain View, Calif.-based Authentic8, Inc."Marketing may need access to the corporate Twitter or Facebook account, but that may not be an appropriate whitelist entry for all users," he says. Then there are the cases where a known reliable application gets a problematic update, or creates a vulnerability when combined with another application, he says.

Ultimately, whitelisting might be an effective tool, and crowdsourcing and other new technologies may make it even more practical. "But it is only one part of a comprehensive risk management or data security practice," says Petry.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.